[ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability

From:	 Ahmet Sabri ALPER <s_alper@hotmail.com>
To:	 bugtraq@securityfocus.com
Subject: [ARL02-A07] ARSC Really Simple Chat System Information Path
	 Disclosure Vulnerability
Date:	 16 Mar 2002 23:24:45 -0000



+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A07      ---/----------/+
+/-----------\---- salper@olympos.org    --/-----------/+


Advisory Information
--------------------
Name               : ARSC Really Simple Chat
                     System Information Path Disclosure 
Vulnerability
Software Package   : ARSC Really Simple Chat
Vendor Homepage    : 
http://manuel.kiessling.net/projects/software/arsc/
Vulnerable Versions: v1.0.1 and v1.0
Platforms          : PHP Dependent
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : 15/03/2002
Prior Problems     : N/A
Current Version    : v1.0.1 (vulnerable)


Summary
-------
ARSC is a webchat system that uses PHP and 
MySQL and allows web based chatting with almost 
every browser type; using JavaScript, frames and 
server push / socket server on modern browsers 
down to a one-page reload-yourself lynx version.

A vulnerability exists in ARSC Really Simple Chat, 
which could allow any remote user to view the full 
path to the web root.


Details
-------
If any user submits a maliciously crafted HTTP 
request to the site running ARSC Really Simple Chat, 
this will enable a remote user to reveal the absolute 
path to the web root and also more information about 
the system might be revealed. 

This issue may be exploited by requesting an invalid 
language file in "home.php".

Example:
http://ARSC_site/home.php?arsc_language=elvish
where "elvish" is a non-existing language file.

This would return the web root path in an error 
message;
"Warning: Failed 
opening 'shared/language/elvish.inc.php' 
for inclusion (include_path='.:/usr/local/lib/php') in 
/var/ftproot/blahblah/site/home.php on line 6"


This information may be used to aid in 
further "intelligent" attacks against the host running 
the vulnerable ARSC Really Simple Chat system.


Solution
--------
The vendor confirmed the vulnerability in ARSC 
Really Simple Chat, versions 1.0.1 and 1.0 . They 
added that they will be releasing a new version soon, 
which will be immune to this vulnerability and will be 
named v1.0.1p1 .

For now you can use my suggested workaround:
Adding an IF-ELSE statement in "home.php" to check 
if the requested language pack is installed or not.

$dosya="shared/language/".$arsc_language.".inc.php
";
if (! file_exists ($dosya)) {
   die ("Language file missing.");
}

This will end the script if a non-existing language was 
selected. Add this piece of code to the beginning 
of "home.php" with no warranties.


Credits
-------
Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper@olympos.org
Olympos Turkish Security Portal: 
http://www.olympos.org


References
----------
Product Web Page: 
http://manuel.kiessling.net/projects/software/arsc/